bahurum
commented
2 years ago I'd say this is invalid. Didn't fully get PoC, but callback() is nonReentrant, so I would say there is no re-entrancy issue.
Closed code423n4 closed 1 year ago
bahurum
commented
2 years ago I'd say this is invalid. Didn't fully get PoC, but callback() is nonReentrant, so I would say there is no re-entrancy issue.
Oighty
commented
2 years ago Agree with @bahurum .
0xean
commented
1 year ago closing as invalid.
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/BondCallback.sol#L127 https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/BondCallback.sol#L143 https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/BondCallback.sol#L144
Vulnerability details
Impact
when withdraw reserves from TRSRY to msg.sender,it may go to other external uncontrollable contract logic if reserve token contract transferFrom function call to other contract ,it will cause other market use this callback asset loss or this contract amountsPerMarket can't match real amount.
Proof of Concept
when withdraw reserves from TRSRY to msg.sender,it may go to other external uncontrollable contract logic if reserve token contract transferFrom function call to other contract (like EIP1271 to valid signature).it will cause
amountsPerMarkethas not update,but attacker utilize it logic to call other market or some contract use unupdatedamountsPerMarketdata(re-entrant use amountsForMarket function),it will make some market asset loss.Attacker also can use it logic to transfer some payout token(if this token don't have nonReentrant) letpriorBalancescan't match realpriorBalances, and letamountsPerMarketcan't match real amount.Recommended Mitigation Steps
modify priorBalances and _amountsPerMarket before line 127 :
TRSRY.withdrawReserves(msg.sender, payoutToken, outputAmount_);it can avoid Re-Entrancy.